Merged in feature/EL-355-as-the-developer-i-want-explicit- (pull request #179)

Feature/EL-355 as the developer i want explicit

Approved-by: patrickt

Author: krh372

jetty-ws-test/src/test/java/dev/getelements/elements/rest/test/EmailCaseNormalizationTest.java

@@ -0,0 +1,120 @@
+package dev.getelements.elements.rest.test;
+
+import dev.getelements.elements.sdk.model.session.SessionCreation;
+import dev.getelements.elements.sdk.model.session.UsernamePasswordSessionRequest;
+import dev.getelements.elements.sdk.model.user.User;
+import dev.getelements.elements.sdk.model.user.UserCreateRequest;
+import jakarta.inject.Inject;
+import jakarta.inject.Named;
+import jakarta.ws.rs.client.Client;
+import jakarta.ws.rs.client.Entity;
+import org.testng.annotations.Factory;
+import org.testng.annotations.Test;
+
+import java.util.UUID;
+
+import static dev.getelements.elements.rest.test.TestUtils.TEST_API_ROOT;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
+import static org.testng.Assert.assertEquals;
+import static org.testng.Assert.assertNotNull;
+
+/**
+ * Verifies that email addresses are case-normalised (stored as lowercase) on signup
+ * and that login succeeds regardless of the case the caller uses.
+ */
+public class EmailCaseNormalizationTest {
+
+    @Factory
+    public Object[] getTests() {
+        return new Object[]{TestUtils.getInstance().getTestFixture(EmailCaseNormalizationTest.class)};
+    }
+
+    @Inject @Named(TEST_API_ROOT)
+    private String apiRoot;
+
+    @Inject
+    private Client client;
+
+    @Inject
+    private ClientContext clientContext;
+
+    // Register with a MIXED-CASE email to verify normalisation at creation time.
+    private final String rawEmail    = "Test.User-" + UUID.randomUUID() + "@Example.COM";
+    private final String lowerEmail  = rawEmail.toLowerCase();
+    private final String name        = "email-norm-" + UUID.randomUUID();
+    private final String password    = UUID.randomUUID().toString();
+
+    private String userId;
+
+    @Test
+    public void signup_mixedCaseEmail_storedAsLowercase() {
+        final var request = new UserCreateRequest();
+        request.setName(name);
+        request.setEmail(rawEmail);
+        request.setPassword(password);
+
+        final var user = client
+                .target(apiRoot + "/signup/session")
+                .request(APPLICATION_JSON)
+                .post(Entity.entity(request, APPLICATION_JSON), SessionCreation.class);
+
+        assertNotNull(user);
+        assertNotNull(user.getSession());
+
+        final var createdUser = user.getSession().getUser();
+        assertNotNull(createdUser);
+        userId = createdUser.getId();
+
+        assertEquals(createdUser.getEmail(), lowerEmail,
+                "Email should be stored as lowercase regardless of how it was supplied");
+    }
+
+    @Test(dependsOnMethods = "signup_mixedCaseEmail_storedAsLowercase")
+    public void login_mixedCaseEmail_succeeds() {
+        final var request = new UsernamePasswordSessionRequest();
+        request.setUserId(rawEmail);   // original mixed-case
+        request.setPassword(password);
+
+        final var response = client
+                .target(apiRoot + "/session")
+                .request(APPLICATION_JSON)
+                .post(Entity.entity(request, APPLICATION_JSON));
+
+        assertEquals(response.getStatus(), 200, "Login with mixed-case email should succeed");
+        final var session = response.readEntity(SessionCreation.class);
+        assertEquals(session.getSession().getUser().getId(), userId);
+    }
+
+    @Test(dependsOnMethods = "signup_mixedCaseEmail_storedAsLowercase")
+    public void login_uppercaseEmail_succeeds() {
+        final var request = new UsernamePasswordSessionRequest();
+        request.setUserId(rawEmail.toUpperCase());
+        request.setPassword(password);
+
+        final var response = client
+                .target(apiRoot + "/session")
+                .request(APPLICATION_JSON)
+                .post(Entity.entity(request, APPLICATION_JSON));
+
+        assertEquals(response.getStatus(), 200, "Login with all-uppercase email should succeed");
+        final var session = response.readEntity(SessionCreation.class);
+        assertEquals(session.getSession().getUser().getId(), userId);
+    }
+
+    @Test(dependsOnMethods = "signup_mixedCaseEmail_storedAsLowercase")
+    public void login_lowercaseEmail_succeeds() {
+        final var request = new UsernamePasswordSessionRequest();
+        request.setUserId(lowerEmail);
+        request.setPassword(password);
+
+        final var response = client
+                .target(apiRoot + "/session")
+                .request(APPLICATION_JSON)
+                .post(Entity.entity(request, APPLICATION_JSON));
+
+        assertEquals(response.getStatus(), 200, "Login with lowercase email should succeed");
+        final var session = response.readEntity(SessionCreation.class);
+        assertEquals(session.getSession().getUser().getId(), userId);
+    }
+
+}

jetty-ws-test/src/test/java/dev/getelements/elements/rest/test/EmailVerificationApiTest.java

@@ -14,6 +14,7 @@
 import org.testng.annotations.Test;
 
 import java.sql.Timestamp;
+import java.util.UUID;
 import java.util.concurrent.TimeUnit;
 
 import static dev.getelements.elements.sdk.dao.UserUidDao.SCHEME_EMAIL;
@@ -137,14 +138,16 @@ public void requestVerification_unauthenticated_returns403() {
     }
 
     /**
-     * Authenticated request with a valid email but no SMTP configured → 400 (InvalidDataException).
-     * This confirms the endpoint is reachable by the authenticated user and that the authorization
-     * check passes; the email-sending failure is the only thing preventing a full success.
+     * Authenticated request with a fresh (never-verified) email but no SMTP configured → 400
+     * (InvalidDataException).  We use a freshly-generated address rather than the user's main email
+     * because other tests in this class may already have set the main email to VERIFIED (which would
+     * trigger an early-return 200 instead of reaching the SMTP path).
      */
     @Test
     public void requestVerification_authenticated_withoutSmtp_returns400() {
+        final var freshEmail = "smtp-test-" + UUID.randomUUID() + "@test.example.com";
         final var request = new EmailVerificationRequest();
-        request.setEmail(clientContext.getUser().getEmail());
+        request.setEmail(freshEmail);
 
         final Response response = client
                 .target(apiRoot + "/user/me/email/verify")

jetty-ws-test/src/test/java/dev/getelements/elements/rest/test/LinkEmailPasswordApiTest.java

@@ -0,0 +1,140 @@
+package dev.getelements.elements.rest.test;
+
+import dev.getelements.elements.sdk.dao.UidVerificationTokenDao;
+import dev.getelements.elements.sdk.model.session.SessionCreation;
+import dev.getelements.elements.sdk.model.session.UsernamePasswordSessionRequest;
+import dev.getelements.elements.sdk.model.user.LinkEmailPasswordRequest;
+import dev.getelements.elements.sdk.model.user.User;
+import jakarta.inject.Inject;
+import jakarta.inject.Named;
+import jakarta.ws.rs.client.Client;
+import jakarta.ws.rs.client.Entity;
+import jakarta.ws.rs.core.Response;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.Factory;
+import org.testng.annotations.Test;
+
+import java.sql.Timestamp;
+import java.util.UUID;
+import java.util.concurrent.TimeUnit;
+
+import static dev.getelements.elements.sdk.dao.UserUidDao.SCHEME_EMAIL;
+import static dev.getelements.elements.sdk.model.Headers.SESSION_SECRET;
+import static dev.getelements.elements.rest.test.TestUtils.TEST_API_ROOT;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
+import static org.testng.Assert.assertEquals;
+import static org.testng.Assert.assertNotNull;
+
+/**
+ * Integration tests for {@code POST /user/me/link/email-password}.
+ *
+ * <p>The VERIFIED prerequisite is fulfilled by creating a token directly via
+ * {@link UidVerificationTokenDao} and consuming it via {@code GET /verify?token=...},
+ * which avoids needing a live SMTP server.
+ */
+public class LinkEmailPasswordApiTest {
+
+    @Factory
+    public Object[] getTests() {
+        return new Object[]{TestUtils.getInstance().getTestFixture(LinkEmailPasswordApiTest.class)};
+    }
+
+    @Inject @Named(TEST_API_ROOT)
+    private String apiRoot;
+
+    @Inject
+    private Client client;
+
+    @Inject
+    private ClientContext clientContext;
+
+    @Inject
+    private UidVerificationTokenDao tokenDao;
+
+    private final String linkedPassword = UUID.randomUUID().toString();
+
+    @BeforeClass
+    public void setup() {
+        clientContext.createUser("link-ep-test").createSession();
+
+        // Verify the user's email directly via the DAO so we can call the link endpoint.
+        final var user = clientContext.getUser();
+        final var email = user.getEmail();
+        final var expiry = new Timestamp(System.currentTimeMillis() + TimeUnit.HOURS.toMillis(1));
+        final var token = tokenDao.createToken(user, SCHEME_EMAIL, email, expiry);
+
+        final var verifyResponse = client
+                .target(apiRoot + "/verify")
+                .queryParam("token", token)
+                .request(APPLICATION_JSON)
+                .get();
+
+        assertEquals(verifyResponse.getStatus(), 200, "Email verification prerequisite failed");
+    }
+
+    @Test
+    public void linkEmailPassword_unauthenticated_returns403() {
+        final var request = new LinkEmailPasswordRequest();
+        request.setEmail(clientContext.getUser().getEmail());
+        request.setPassword(linkedPassword);
+
+        final var response = client
+                .target(apiRoot + "/user/me/link/email-password")
+                .request(APPLICATION_JSON)
+                .post(Entity.entity(request, APPLICATION_JSON));
+
+        assertEquals(response.getStatus(), 403);
+    }
+
+    @Test(dependsOnMethods = "linkEmailPassword_unauthenticated_returns403")
+    public void linkEmailPassword_unknownEmail_returns404() {
+        // Unknown email → getUserUid throws UserNotFoundException → 404
+        final var request = new LinkEmailPasswordRequest();
+        request.setEmail("no-uid-" + UUID.randomUUID() + "@test.example.com");
+        request.setPassword(linkedPassword);
+
+        final var response = client
+                .target(apiRoot + "/user/me/link/email-password")
+                .request(APPLICATION_JSON)
+                .header(SESSION_SECRET, clientContext.getSessionSecret())
+                .post(Entity.entity(request, APPLICATION_JSON));
+
+        assertEquals(response.getStatus(), 404);
+    }
+
+    @Test(dependsOnMethods = "linkEmailPassword_unknownEmail_returns404")
+    public void linkEmailPassword_verifiedEmail_returns200() {
+        final var request = new LinkEmailPasswordRequest();
+        request.setEmail(clientContext.getUser().getEmail());
+        request.setPassword(linkedPassword);
+
+        final var response = client
+                .target(apiRoot + "/user/me/link/email-password")
+                .request(APPLICATION_JSON)
+                .header(SESSION_SECRET, clientContext.getSessionSecret())
+                .post(Entity.entity(request, APPLICATION_JSON));
+
+        assertEquals(response.getStatus(), 200);
+        final var user = response.readEntity(User.class);
+        assertNotNull(user);
+        assertNotNull(user.getId());
+    }
+
+    @Test(dependsOnMethods = "linkEmailPassword_verifiedEmail_returns200")
+    public void login_withLinkedPassword_succeeds() {
+        final var request = new UsernamePasswordSessionRequest();
+        request.setUserId(clientContext.getUser().getEmail());
+        request.setPassword(linkedPassword);
+
+        final var response = client
+                .target(apiRoot + "/session")
+                .request(APPLICATION_JSON)
+                .post(Entity.entity(request, APPLICATION_JSON));
+
+        assertEquals(response.getStatus(), 200);
+        final var session = response.readEntity(SessionCreation.class);
+        assertNotNull(session.getSession());
+        assertEquals(session.getSession().getUser().getId(), clientContext.getUser().getId());
+    }
+
+}